IKE proposal to offer instead of default. For IKEv1, a single proposal consists of one encryption algorithm, an integrity/PRF algorithm and a DH group. IKEv2 can propose multiple algorithms of the same kind. To specify multiple proposals, repeat the option.

--esp-proposal proposal

ESP proposal to offer instead of default. For IKEv1, a single proposal consists of one encryption algorithm, an integrity algorithm and an optional DH group for Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify multiple proposals, repeat the option.

--ah-proposal proposal

AH proposal to offer instead of ESP. For IKEv1, a single proposal consists of an integrity algorithm and an optional DH group for Perfect Forward Secrecy rekeying. IKEv2 can propose multiple algorithms of the same kind. To specify multiple proposals, repeat the option.

--profile name

Authentication profile to use, the list of supported profiles can be found in the Authentication Profiles sections below. Defaults to ikev2-pub if a private key was supplied, and to ikev2-eap otherwise.

IKEv2 Authentication Profiles

ikev2-pub

IKEv2 with public key client and server authentication

ikev2-eap

IKEv2 with EAP client authentication and public key server authentication

ikev2-pub-eap

IKEv2 with public key and EAP client authentication (RFC 4739) and public key server authentication

IKEv1 Authentication Profiles

The following authentication profiles use either Main Mode or Aggressive Mode, the latter is denoted with a -am suffix.

ikev1-pub, ikev1-pub-am

IKEv1 with public key client and server authentication

ikev1-xauth, ikev1-xauth-am

IKEv1 with public key client and server authentication, followed by client XAuth authentication